Control Plane Resilience: The Method of Strong Detection
Download
1 / 23

Control Plane Resilience: The Method of Strong Detection Raj Kumar Vishal Misra Dan Rubenstein - PowerPoint PPT Presentation


  • 41 Views
  • Uploaded on

Control Plane Resilience: The Method of Strong Detection Raj Kumar Vishal Misra Dan Rubenstein. Allerton, 9/28/06. Routing Protocols with Misconfigurations. Routing Protocols in “friendly” environments are well understood, e.g., Link State: global knowledge, centralized approach

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Control Plane Resilience: The Method of Strong Detection Raj Kumar Vishal Misra Dan Rubenstein' - russell-ryan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Control Plane Resilience: The Method of Strong Detection

Raj Kumar

Vishal Misra

Dan Rubenstein

Allerton, 9/28/06


Routing protocols with misconfigurations
Routing Protocols with Misconfigurations

  • Routing Protocols in “friendly” environments are well understood, e.g.,

    • Link State: global knowledge, centralized approach

    • Distance Vector (a.k.a. Bellman-Ford): known to converge (quickly), adapt to changes, etc.

    • BGP (Path-Vector): some problems in converging when routes change, significant literature evaluating/understanding

  • Critical Assumption for correctness: Nodes follow the proper protocol procedure

  • Q: What happens when nodes don’t follow the protocol like they’re supposed to?


History shows misbehaving nodes can be a big problem

8765

7007

7074

6957

5165

2134

4345

History Shows: Misbehaving nodes can be a big problem

  • The infamous BGP AS 7007 Incident:

  • Consider routes to node 8765

Traffic goes where it is supposed to


Nodes don t always behave

8765

7007

7074

6957

5165

2134

4345

Nodes don’t always “behave”

  • The infamous BGP AS 7007 Incident:

Traffic enters “black hole”


Theory to detect bad nodes

Can I tell if my neighbors are giving me the correct information?

Theory to detect “Bad” Nodes

  • Rules:

    • “Bad” nodes can cheat, “Good” nodes can attempt to detect the bad nodes

    • “Good” nodes must limited to information provided by the routing protocol

      • Want to exchange additional info, modify the protocol

  • Challenge: When can a good node determine something isn’t right?


A node s info its state

A information?

B

D

E

A Node’s Info: Its State

  • A node’s state is its (only) view of the network

    • e.g., Distance-Vector (a.k.a. Bellman-Ford)

C

F

G

Note our convention: (I,J) in state table reports node I’s distance to J (not local node’s distance to J through I)


Detection

N information?

X

Y

N

X

Y

1

3

Detection

  • Assume: Routes have stabilized (routing protocol inactive)

  • Q: For routing protocol P, given a good node’s state, what misconfigurations can it detect/observe within the network?

  • Note: A node can’t always detect a problem

D(X,Y) = 3

1

1

An undetectable misconfig at node N:


Prior work weak detection
Prior Work: “Weak” Detection information?

  • Process for constructing a weak detection method:

    • Find a property that a node’s state should exhibit

    • Check the property in a node’s state

    • Declare misconfiguration in network if property is violated

  • A detection method is “Weak” if it fails to identify a misconfiguration that is detectable using another method (on same state)


A weak detection method symmetry
A Weak Detection Method: Symmetry information?

  • In an undirected graph, D(X,Y) = D(Y,X)

    • Here, D(A,B) = 1

    • But D(B,A) = 4

  • Using symmetry, found a misconfiguration

  • So why is Symmetry weak?


Another weak detection method triangle inequality dmz 03
Another Weak Detection Method: Triangle Inequality [DMZ’03]

  • Triangle inequality should hold:

    D(X,Z) ≤ D(X,Y) + D(Y,Z)

  • Violated here:

    • D(B,E) = 3

    • D(B,A) = 1

    • D(A,E) = 1

    • D(B,E) > D(B,A) + D(A,E)

  • Note: symmetry property not violated

  • Example shows why detection via symmetry is weak: failed to identify a detectable misconfiguration

  • So why is triangle inequality weak?


Weakness of triangle inequality

D [DMZ’03]

Weakness of Triangle Inequality

A

  • Suppose graph edge lengths are all 1

  • No violation of symmetry or triangle inequality

C

B

Where to place edges?

A and B are our neighbors

C is distance 1 from B

D is distance 3 from both A & B: nowhere to put connecting edge


Strong detection
“Strong” Detection [DMZ’03]

  • A detection method is “strong” if it always detects detectable misconfigurations

  • More formally, Let

    • μ be a method to detect misconfigurations

    • C = {N} be the set of valid networks (what the network might look like)

    • NR: the actual network (Note NRє C)

    • sn(N) is state of node n when the routing protocol is executed correctly (and stabilized) within a network N є C

    • s’n(NR) be the state actually computed at node n (possibly with misconfigurations) in network NR

  • μ is a strong detection method if one of the following holds whenever s’n(NR) ≠ sn(NR):

    • Detected: μ detects that sn(NR) ≠ s’n(NR)

    • Undetectable: No method μ’ exists that can detect sn(NR)≠s’n(NR)


A high complexity strong detection algorithm
A High-Complexity Strong Detection Algorithm [DMZ’03]

  • Input:

    • State s’n(NR) of node n for the “real” but unknown network NR

    • Description of set of allowable networks, C = {N}

  • Algorithm: For each N є C

    • Compute sn(N)

    • If sn(N) = s’n(NR) then return MISCONFIG UNDETECTABLE (N might be the valid network)

  • If no N є C matches, then misconfiguration detected

Algorithm Complexity is Ω(C), often huge!


Low complexity strong detection
Low-Complexity Strong-Detection [DMZ’03]

  • Q: Can Strong Detection be achieved with low complexity?

  • A: Sometimes: we show how to do it for Bellman-Ford (a.k.a. Distance Vector)


Strong detection for d v
Strong Detection for D.V. [DMZ’03]

  • Input at node n:

    • S’n(NR): a single node’s (steady state) state table that reports each neighbor’s (supposed) distance to all nodes

    • Set C of all allowable networks

      • defined by {Axy}: Axy is the set of allowable lengths of edges between node x and y

      • E.g., Axy = [0,3) U [4,4] U [7,100]

S’n(NR)


Strong detection in d v at a node n

D [DMZ’03]

F

G

A

B

C

n

G

E

B

C

n

E

F

D

A

M

Strong Detection in D.V. at a node, n

  • Take node n’s state, s’n(NR)

  • Use this state to build the canonical graph, M є C

  • Simulate D.V. on M to generate simulated state sn(M)

  • We will prove:

    • If sn(M) ≠ s’n(NR), then misconfiguration detected

    • Else, either there is no misconfiguration, or it is undetectable (using node n’s state) because M might be the actual network

s’n (NR)

sn(M)


Creating the canonical graph m for an undirected network
Creating the Canonical Graph, M for an undirected network [DMZ’03]

  • For each pair of nodes (x,y):

    • Create edge (x,y) with length exy = smallest value in Axy ≥ maxm є V(n) |d(m,x) – d(m,y)|

    • exy = ∞ if all values in Axy too small

  • Consider state table on left

    • eCD ≥ max(|12-5|, |13-9|, |8-12|) = 7

    • If ACD = [1,1] U [4,6] U [8,10], then eCD = 8


Proving strongness of the canonical graph method
Proving Strongness of the Canonical Graph Method [DMZ’03]

  • N: a network for which sn(N) = s’n(NR), when such a network N exists

  • M: the canonical graph constructed by n from s’n(NR)

  • fxy: length of edge (x,y) in N (when the edge exists)

  • exy: length of edge (x,y) in M (edges always exist)

  • dG(x,y): shortest path distance from x to y in network G

  • Assume: all edges have positive length (easy to extend when edges can also have length 0)

  • High Level Sketch of Proof:

    • If N exists where sn(N) = s’n(NR), then sn(M) = sn(N) = s’n(NR)

    • If N does not exist, then sn(M) ≠ s’n(NR)


Bounds on e xy

n [DMZ’03]

v

Bounds on exy

  • Lemma 1: If sn(N) = s’n(NR) for some N є C and edge (x,y) exists in N with length fxy, then exy ≤ fxy

  • Proof: In N, x & y’s distances to any neighbor v must differ by at most fxy, i.e.: For each neighbor v, |dN(v,y) – dN(v,x)| ≤ fxy

  • Hence maxm є V(n) |d(m,x) – d(m,y)| ≤ fxy

  • Recall exy = smallest value in Axy ≥ maxm є V(n) |d(m,x) – d(m,y)|

  • Since N є C, we have fxy є Axy and so exy ≤ fxy

y

x

fxy


in M: [DMZ’03]

exy

y

y

x

fxy

  • Lemma 2: If sn(N) = s’n(NR) for some N є C, then dM(v,x) ≤ dN(v,x) for all neighbors v and all nodes x

  • Proof: by contradiction. Select x with smallest dN(v,x) where dM(v,x) > dN(v,x)

  • Let y be a preceding node on a shortest path from v to x in N: fxy is the edge connecting y to x on this path, so dN(v,y) < dN(v,x) and |dN(v,x) – dN(v,y)| = fxy

  • dN(v,y) < dN(v,x), hence y not blue dM(v,y) ≤ dN(v,y), so dM(v,y) ≤ dN(v,y) < dN(v,x) < dM(v,x)

  • fxy = |dN(v,x) – dN(v,y)| < |dM(v,x) – dM(v,y)| ≤ exy

Blue nodes t satisfydM(v,t) > dN(v,t)

v

x

n

Distance from v in N

Contradicts Lemma 1 (which states exy ≤ fxy)!!


in N: [DMZ’03]

v

y

y

exy

x

Blue nodes t satisfydM(v,t) < dN(v,t)

  • Lemma 3: If sn(N) = s’n(NR) for some N є C, then dM(v,x) ≥ dN(v,x) for all neighbors v and all nodes x

  • Proof: by contradiction. Select x with smallest dM(v,x) where dM(v,x) < dN(v,x)

  • Let y be the node preceding x on a shortest path from v to x in M where edge exy connects y to x on this path: hence dM(v,y) < dM(v,x) and exy = dM(v,x) - dM(v,y)

  • dM(v,y) < dM(v,x), hence y not blue dM(v,y) ≥ dN(v,y)

  • Hence exy = dM(v,x) - dM(v,y) < dN(v,x) - dN(v,y) = | dN(v,x) - dN(v,y) |

x

n

Distance from v in M

But exy = maxm |dN(m,x) – dN(m,y)|, and

maxm |dN(m,x) – dN(m,y)|≥ |dN(v,x) – dN(v,y)| !! Contradiction!


The main result
The Main Result [DMZ’03]

  • Some N є C produces state sn(N) = s’n(NR)  sn(M) = s’n(NR)

  • Proof:

    •  Follows from Lemma 2 (dM(v,x) ≤ dN(v,x))and Lemma 3(dM(v,x) ≥ dN(v,x))

    •  If no N є C produces state s’n(N), since M є C, M cannot produce state = s’n(N)

  • In other words, only need to check if sn(M) = s’n(NR)

  • Complexity: O(|V|3)

    • Construct the canonical graph, M

    • Simulate Bellman-Ford

    • Compare State Tables


Extensions future directions
Extensions / Future Directions [DMZ’03]

  • Same idea works for:

    • Directed graphs

    • Using state info from a set of trusted nodes

  • Similar canonical graph construction works for path-vector variants

  • Future Directions:

    • Identifying the offending node (not just its existence)

    • Performing Strong Detection for other routing protocols (Ad-hoc network, geographical positioning)


ad